egg-security 关闭之后，post请求还是出现invalid csrf token

Created on 8 Sep 2017 · 8Comments · Source: eggjs/egg

//plugin.js
'use strict';
exports.validate = {
enable: true,
package: 'egg-validate',
};
exports.static = true;
exports.security = {
xframe: {
enable: false,
},
};
`
就把cnode-api项目在本地运行之后，修改了这个安全验证，关闭之。但是我post请求还是会出现invalid csrf token的问题。还有我需要注意的地方吗？

not follow template

Source

ivwitxsc

Most helpful comment

关闭csrf是

exports.security = { csrf: { enable: false, },

jtyjty99999 on 8 Sep 2017

👍2 😄1

All 8 comments

exports.security = {
xframe: {
enable: false,
},

这段是配置，放到 config.default.js

发自我的 iPhone

在 2017年9月8日，14:39，放荡年华 notifications@github.com 写道：

exports.security = {
xframe: {
enable: false,
},
};

atian25 on 8 Sep 2017

//config.default.js

'use strict';

module.exports = {
  middleware: [ 'errorHandler' ],
  errorHandler: {
    match: '/api',
  },
  security: {
    xframe: {
      enable: false,
    },
  },
};

这种也试过，我是用postman post 请求的

Please set config.keys first, now using mock keys for dev env (E:\FrontEndWorkspace\egg\cnode-api)
2017-09-08 14:48:50,540 WARN 8716 [-/127.0.0.1/-/26ms POST /api/v2/topics/getRecord] invalid csrf token. See https://eggjs.org/zh-cn/core/security.html#安全威胁csrf的防范
2017-09-08 14:48:50,543 WARN 8716 [-/127.0.0.1/-/28ms POST /api/v2/topics/getRecord] nodejs.ForbiddenError: invalid csrf token
    at Object.throw (E:\FrontEndWorkspace\egg\cnode-api\node_modules\koa\lib\context.js:89:23)
    at Object.assertCsrf (E:\FrontEndWorkspace\egg\cnode-api\node_modules\egg-security\app\extend\context.js:148:17)
    at Object.csrf (E:\FrontEndWorkspace\egg\cnode-api\node_modules\egg-security\lib\middlewares\csrf.js:31:10)
    at csrf.next (<anonymous>)
    at Object.<anonymous> (E:\FrontEndWorkspace\egg\cnode-api\node_modules\koa-compose\index.js:28:19)
    at Generator.next (<anonymous>)
    at onFulfilled (E:\FrontEndWorkspace\egg\cnode-api\node_modules\co\index.js:65:19)
    at E:\FrontEndWorkspace\egg\cnode-api\node_modules\co\index.js:54:5
    at Promise (<anonymous>)
    at Object.co (E:\FrontEndWorkspace\egg\cnode-api\node_modules\co\index.js:50:10)
message: 'invalid csrf token'
pid: 8716

ivwitxsc on 8 Sep 2017

可是你关的是 xframe

发自我的 iPhone

在 2017年9月8日，14:53，放荡年华 notifications@github.com 写道：

//config.default.js

'use strict';

module.exports = {
middleware: [ 'errorHandler' ],
errorHandler: {
match: '/api',
},
security: {
xframe: {
enable: false,
},
},
};
这种也试过，我是用postman post 请求的

Please set config.keys first, now using mock keys for dev env (E:\FrontEndWorkspace\egg\cnode-api)
2017-09-08 14:48:50,540 WARN 8716 [-/127.0.0.1/-/26ms POST /api/v2/topics/getRecord] invalid csrf token. See https://eggjs.org/zh-cn/core/security.html#安全威胁csrf的防范
2017-09-08 14:48:50,543 WARN 8716 [-/127.0.0.1/-/28ms POST /api/v2/topics/getRecord] nodejs.ForbiddenError: invalid csrf token
at Object.throw (E:\FrontEndWorkspace\egg\cnode-api\node_modules\koa\lib\context.js:89:23)
at Object.assertCsrf (E:\FrontEndWorkspace\egg\cnode-api\node_modules\egg-security\app\extend\context.js:148:17)
at Object.csrf (E:\FrontEndWorkspace\egg\cnode-api\node_modules\egg-security\lib\middlewares\csrf.js:31:10)
at csrf.next ()
at Object. (E:\FrontEndWorkspace\egg\cnode-api\node_modules\koa-compose\index.js:28:19)
at Generator.next ()
at onFulfilled (E:\FrontEndWorkspace\egg\cnode-api\node_modules\co\index.js:65:19)
at E:\FrontEndWorkspace\egg\cnode-api\node_modules\co\index.js:54:5
at Promise ()
at Object.co (E:\FrontEndWorkspace\egg\cnode-api\node_modules\co\index.js:50:10)
message: 'invalid csrf token'
pid: 8716
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.